Information Exposure Affecting github.com/prebid/prebid-server/privacy/ccpa package, versions <0.113.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMPREBIDPREBIDSERVERPRIVACYCCPA-1015605
  • published18 May 2020
  • disclosed18 May 2020
  • creditdjcsdy

Introduced: 18 May 2020

CVE NOT AVAILABLE CWE-200  (opens in a new tab)

How to fix?

Upgrade github.com/prebid/prebid-server/privacy/ccpa to version 0.113.0 or higher.

Overview

github.com/prebid/prebid-server/privacy/ccpa is an open source implementation of Server-Side Header Bidding.

Affected versions of this package are vulnerable to Information Exposure. Specifically, privacy/ccpa/policy.go and privacy/gdpr/policy.go include code that attempts to generate JSON by concatenating strings. If the us_privacy or consent fields contain the character ", this can produce malformed JSON, or JSON with an unintended structure. An attacker could exploit this bug to trick Prebid Server into mutating an OpenRTB bid request to contain arbitrary data, bypassing validation.

References

CVSS Base Scores

version 3.1